.Sandbox for semi-automatic Javascript malware analysis and payload extraction. Written for Node.js
malware-jail is written for Node’s ‘vm’ sandbox. Currently implements WScript (Windows Scripting Host) context env/wscript.js, at least the part frequently used by malware. Internet browser context is partialy implemented env/browser.js. Runs on any operating system, tested on All Linux Distros with (Node v4.2.1).

Malware Sandbox ver.0.3

Warning:
Be careful when working with a real malware. Malware, that is aware of this sandbox may try to escape it and harm your PC. It’s recommended you run it either from an unpriviledged Linux account or from within virtualized Windows.

Internet browser based malware you may test with:

Example Browser.js

The malware/example.js is the default malware file configured in config.json.
After analysis the complete sandbox context is dumped to a file ‘sandbox_dump_after.json’. There you may find:
+ _eval_calls – array of all eval() calls arguments. Useful if eval() is used for deobfucation.
+ _wscript_saved_files – content of all files that the malware attempted to drop. The actual files are saved to the output/ directory too.
+ _wscript_urls – all URLs that the malware intended to GET or POST.
+ _wscript_objects – WScript or ActiveX objects created.
+ _’sandbox_dump_after.json’ uses JSONPath, implemented by JSON-js/cycle.js, to save duplicated or cyclic references to a same object.